Traefik proxy protocol not working. Not able to get Original source IP on tcp message

Traefik Traefik v2
1

My application is running on a TCP port and exposed via Traefik ingress crd. I have created a ingresstcp router in which I have added proxy protocol. Below is my configuration

kind: IngressRouteTCP
metadata:
  name: my-service-tcp
  namespace: monitoring
spec:
  entryPoints:
  - tcpep
  routes:
  - match: HostSNI(`*`)
    services:
    - name: my-service
      port: 9090
      proxyProtocol:
        version: 1

My application is having support for proxy protocol. It will detect the original source IP from Proxy protocol header. But every time I am getting Traefik IP in my application logs and tcp dump also. Proxy protocol is not working in Traefik. Please help.

Thanks,
Shubham

2

Use 3 backticks in front and after the code to format it, or select the code and press the </> button.

Are you running a current Traefik version? It seems it's only supported since v2.4 (doc).

Of course TCPdump will show the Traefik IP because this is where the packet came from. But when ProxyProtocol is active, you will see the originating IP in the content of the packet.

3

Thanks for the quick response. I was trying in Traefik v2.3. Let me try in Traefik v2.9. Will get back

4

I tried with Traefik v2.9 and it is working fine. We are getting original source IP. But we are not getting error also in Traefik v2.3 that proxy protocol is not supported.

5

When you change my link to 2.3 you will see it’s not there :wink:

6

I am using Traefik ingress controller and routing the TCP request to my application that is having proxy protocol support. But I am getting same IP every time as original source IP even I am executing the request from different hosts. It looks like a subnet IP. I am using Traefik v2.9

Below are Traefik debug logs related to proxy protocol

time="2023-07-24T05:15:13Z" level=debug msg="Handling connection from 10.x.0.0:2787 to 10.x.x.123:9090"

original source IP is coming always 10.x.0.0. Is it K8 cluster subnet IP or something? I should get the original source IP from where I am executing the request.

7

I would not expect to see ProxyProtocol IPs in the Traefik debug log. Check the Traefik access log.

8

I am sending a TCP message that will not come in access log. I am getting Kubernetes cluster CIDR IP as original source IP. Why I am getting CIDR IP in proxy protocol? Do I need to add Trusted IP's in entry point proxy protocol configuration?

Below is my logs at my application side and traefik logs

Traefik debug logs

time="2023-07-24T10:50:15Z" level=debug msg="Handling connection from 10.244.0.0:59657 to 10.x.43.123:9090"

Application logs
2023-07-24 10:50:16.665 INFO app1 [pool-3-thread-71] MessageParserService : Decoded proxy message: HAProxyMessage(protocolVersion: V2, command: PROXY, proxiedProtocol: TCP4, sourceAddress: 10.244.0.0, destinationAddress: 10.244.2.144, sourcePort: 12007, destinationPort: 8000, tlvs: )

9

Seems like you need to set trusted IPs or insecure to trust any (doc).

10

I have added that also, still not getting original source IP. My services are deployed are type: ClusterIp. Below is traffic configuration

image
image1000×448 50.9 KB

11

Try with =true

--entryPoints.web.proxyProtocol.insecure=true
12

Tried with true

image
image1114×392 20.7 KB

Stil getting original source IP as Kubernetes Cluster IP only
time="2023-07-24T12:29:53Z" level=debug msg="Handling connection from 10.244.0.0:20566 to 10.244.3.205:9090"
time="2023-07-24T12:29:53Z" level=debug msg="Error while setting deadline: set tcp 10.244.3.207:51840: use of closed network connection"

13

@bluepuma77 ,

Any solution to this issue? Traefik is getting client IP as Kubernets cluster CIDR IP 10.244.0.0. Not getting original soruce IP from where the request is originating.